AWS Certified Solutions Architect – Associate (SAA-C03) — Question 642

A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS). The company must be able to control rotation of the encryption keys.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a customer managed key. Use the key to encrypt the EBS volumes.
• B. Use an AWS managed key to encrypt the EBS volumes. Use the key to configure automatic key rotation.
• C. Create an external KMS key with imported key material. Use the key to encrypt the EBS volumes.
• D. Use an AWS owned key to encrypt the EBS volumes.

Correct answer: A

Explanation

Customer managed keys (CMKs) allow users to control key rotation policies, including enabling annual automatic rotation, which satisfies the requirement with minimal operational overhead. AWS managed keys and AWS owned keys do not allow users to control or customize key rotation. Importing key material (external keys) requires manual rotation and external management of the key material, which significantly increases operational overhead compared to a customer managed key.